Roles

A role defines which applications and what parts
of each application users can access and what they can do. In other words,
roles determine users' authorization levels.

For example, in a personnel application all employees might have access
to phone numbers and email addresses, but only managers would have access
to salary information. The application might define at least two roles: employee and manager; only users in the manager role are allowed to view salary information.

A role is different from a user group in that a role defines a function
in an application, while a group is a set of users who are related in some
way. For example, in the personnel application there might be groups such
as full-time, part-time, and on-leave, but users in all these groups would still be in the employee role.

Roles are defined in application deployment descriptors. In contrast,
groups are defined for an entire server and realm. The application developer
or deployer maps roles to one or more groups for each application in its deployment
descriptor.